英文:
pods is forbidden: User tote-admin cannot list resource pods in API group at the cluster scope
问题
我正在在我的kubeadm Kubernetes集群中创建一个名为tote的新用户。首先,我创建了一个密钥:
openssl genrsa -out tote.key 2048
然后,我创建了一个CSR:
openssl req -new -key tote.key -subj "/CN=tote-admin" -out tote.csr
最后,我正在按照kubernetes文档中的这里的说明操作:
A)我创建了一个证书签名请求清单:
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: tote
spec:
request: XXXXXX(生成的CSR的base64编码)
signerName: kubernetes.io/kube-apiserver-client
usages:
- client auth
B)使用kubectl批准CSR:
kubectl certificate approve tote
C)生成tote用户的crt证书:
kubectl get csr tote -o jsonpath='{.status.certificate}' | base64 -d > tote.crt
最后,当尝试使用tote用户的apiserver URL列出pods时,它给出以下错误:
curl https://172.31.127.100:6443/api/v1/pods --key tote.key --cert tote.crt --cacert /etc/kubernetes/pki/ca.crt
响应如下:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "pods is forbidden: User \"tote-admin\" cannot list resource \"pods\" in API group \"\" at the cluster scope",
"reason": "Forbidden",
"details": {
"kind": "pods"
},
"code": 403
}
有什么帮助可以解决这个问题并允许用户tote访问pods吗?
英文:
I am creating a new user in my kubeadm kubernetes cluster named tote. so first I created a key:
openssl genrsa -out tote.key 2048
Then I created a CSR:
openssl req -new -key tote.key -subj "/CN=tote-admin" -out tote.csr
Finally, I am following kubernetes docs in here so:
A) I create a certificate signing request manifest:
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: tote
spec:
request: XXXXXX (based64 of the generated CSR)
signerName: kubernetes.io/kube-apiserver-client
usages:
- client auth
B) Approve the CSR using kubectl:
kubectl certificate approve tote
C) Produce the crt certificate for tote user:
kubectl get csr tote -o jsonpath='{.status.certificate}'| base64 -d > tote.crt
Finally, when trying to list pods using apiserver url using tote user, it gives me error as the following:
curl https://172.31.127.100:6443/api/v1/pods --key tote.key --cert tote.crt --cacert /etc/kubernetes/pki/ca.crt
And the response:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "pods is forbidden: User \"tote-admin\" cannot list resource \"pods\" in API group \"\" at the cluster scope",
"reason": "Forbidden",
"details": {
"kind": "pods"
},
"code": 403
Any help how to resolve this issue and allow user tote to access pods?
答案1
得分: 1
-
看起来您的身份验证正在工作,但用户缺少必要的权限。您需要为您使用的用户创建RBAC权限。请参考使用RBAC授权。
-
也尝试从.kube/config文件中捕获证书。
像客户端密钥数据:echo -n "LS0....Cg==" | base64 -d > admin.key
客户端证书数据:
echo -n "LS0...C==" | base64 -d > admin.crt
证书颁发机构数据:
echo -n "LS0...g==" | base64 -d > ca.crt
然后使用以下命令:
curl https://172.31.127.100:6443 \
--key admin.key \
--cert admin.crt \
--cacert ca.crt
英文:
-
Looks your Auth working, but user doesn't have the necessary permissions. You need to create RBAC permissions for the user you use. Refer to Using RBAC Authorization
-
And also try capturing certs from the .kube/config file.
Like client-key data :echo -n "LS0....Cg==" | base64 -d > admin.key
Client-certificate-data :
echo -n "LS0...C==" | base64 -d > admin.crt
Certificate authority-data :
echo -n "LS0...g==" | base64 -d >ca.crt
Then use, curl https://172.31.127.100:6443 \
--key admin.key \
--cert admin.crt
--cacert can.crt
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论